Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer
CybersecurityDefense

Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer

The Hacker News
The Hacker NewsMay 23, 2026

Companies Mentioned

Aikido Security

Aikido Security

Bitwarden

Bitwarden

Atomic

Atomic

Cisco

Cisco

CSCO

Why It Matters

The attack demonstrates how a compromised open‑source release pipeline can silently inject a universal backdoor into thousands of PHP applications worldwide. By stealing a broad set of cloud and developer credentials, the breach poses a systemic risk to SaaS, DevOps and cryptocurrency services that rely on Laravel‑based software.

Key Takeaways

  • Attack rewrote every Git tag to point to malicious commit
  • Malicious src/helpers.php auto‑executes via Composer autoload on startup
  • Payload harvests cloud, CI/CD, wallet, browser and VPN credentials
  • Exfiltration sent encrypted to flipboxstudio.info, then backdoor self‑deletes
  • Over 700 compromised versions across four Laravel‑Lang packages

Pulse Analysis

The Laravel‑Lang compromise underscores a growing trend in software supply‑chain attacks that target the very mechanisms used to distribute updates. Instead of publishing a single malicious version, the adversary rewrote every existing Git tag across more than 700 releases, effectively turning each tag into a delivery vehicle for malicious code. This technique bypasses traditional checksum or hash‑based verification because the tag metadata itself is altered, and it exploits the trust developers place in the Laravel‑Lang organization’s release process. PHP developers who rely on Composer’s autoloader now face a silent, pervasive threat.

The injected `src/helpers.php` registers itself in the Composer `autoload.files` array, guaranteeing execution on every request without any explicit call. Once triggered, the script contacts a remote server, downloads a 5,900‑line PHP payload and launches platform‑specific modules that scrape credentials from cloud metadata services, CI/CD runners, Docker and Kubernetes configs, cryptocurrency wallets, browsers and VPN clients. Collected data is encrypted with AES‑256 and posted to flipboxstudio.info before the backdoor self‑deletes, leaving little forensic evidence. By harvesting such a wide array of secrets, the attackers can hijack cloud workloads, issue fraudulent transactions, and pivot across multiple services.

Enterprises and open‑source maintainers must tighten release integrity by enforcing signed Git tags, enabling two‑factor authentication on repository accounts, and monitoring for anomalous tag creation patterns. Developers should audit Composer lock files, verify the provenance of each package version, and consider pinning dependencies to known‑good releases. Security tools that scan for unexpected `autoload.files` entries can flag similar compromises early. The Laravel‑Lang incident serves as a stark reminder that even widely trusted libraries can become attack vectors, prompting a shift toward more rigorous supply‑chain verification across the PHP ecosystem.

Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer

Read Original Article

Comments

Want to join the conversation?

Loading comments...